Login/Register
How do I setup SPF to Pass for Mailchimp, SES and EC2 so that DMARC doesn't partially failing due to misalignment
Asked Answered
Solved mailchimpspfdkimemail-spamdmarc
L

1

10

One of my websites sends emails from various sources including:

  • Mailchimp
  • Mandrill
  • Mailgun
  • Amazon SES
  • From the server itself

We have correctly configured SPF & DKIM settings for all of the sources so we decided to add DMARC too and at the same time we changed ?all to -all.

All of our emails have been going through just fine but we've noticed our Mailchimp emails are "SPF Incapable" and as such don't fully pass.

Most email clients / accounts show that DMARC has passed, however DMARCian & a few email clients throw up DMARC Fail-alignment

For example:

enter image description here

DMARC.io does however say the following:

SPF: SPF is not possible as MailChimp uses their own domain in the bounce address. Their domain authentication verification tool requires including Mailchimp, though. To work-around this without having to include Mailchimp servers, try including only 'ip4:205.201.128.0/20 ip4:198.2.128.0/18 ip4:148.105.8.0/21' in your SPF record.

So, I added those to my SPF however it still shows:

enter image description here

All of the following IP's are all covered by those CIDR notations so I am unable to work out why the SPF is still misaligned for SPF, but it fixes DKIM...

  • 198.2.185.161
  • 198.2.185.245
  • 198.2.141.4
  • 198.2.175.233
  • 198.2.185.245
  • 198.2.142.122

I did find the following on stackoverflow: https://mcmap.net/q/1149408/-dmarc-spf-configuration-error however that seems to be slightly wrong in advice because the bounce server is nearly always different. They've got hundreds of servers.

My SPF looks like:

v=spf1 +a +mx +ip4:94.237.30.75 +ip4:94.237.30.85 +ip4:94.237.30.86 +ip4:94.237.30.87 +ip4:54.77.177.67 +ip4:34.246.233.211 +ip4:52.18.62.128 +ip4:34.241.119.225 +ip4:205.201.128.0/20 +ip4:198.2.128.0/18 +ip4:148.105.8.0/21 include:servers.mcsv.net include:spf.mandrillapp.com include:mailgun.org include:amazonses.com -all

What have I done wrong/can I improve in order to get the SPF aligned?

On a side note, I assume for the first 4 IP's I could just use: +ip4:94.237.30.75/28 which would include those 4 IP's as well as a 14 or so other IP's which isn't really that risky is it especially when they won't have DKIM and as a result DMARC passing? To make it a little more secure I could just reduce those 4 records down to +ip4:94.237.30.75 +ip4:94.237.30.85/30 which would only include 1 IP that we don't use.

I do also want to send emails via EC2, rather than SES for some emails (potentially to replace Mailgun/SES) however when we send emails from those servers they get sent to spam for not having a reverse DNS.

I assume, the fix for that would be to request a PTR record to be setup by Amazon for the 3x EC2 instances that we use?

I did request one of these before, but I wasn't sure if it is supposed to be pointing to my main website's IP or the IP of the server that it's sending the emails from...

As for SES, even after adding the SPF include and the DKIM record, our SPF record shows "Neutral" rather than "Pass" for example the following is from the "Test Email" feature for SES/EC2

  • SPF: NEUTRAL with IP 54.240.7.46

So to recap...

  1. How do we make Mailchimp fully pass on SPF so that DMARC is aligned
  2. How do we correctly setup a PTR record for a reverse dns, should the subdomain be pointing to the server it sent the email from or the server of the main domain?
  3. How do I get Amazon SES to throw a SPF Pass, rather than SPF Neutral?
Lag answered 21/12, 2018 at 1:31 Comment(0)
M
4
  1. You can't. The answer in the thread you mentioned is correct. Mailchimp will set the bounce address to its own domain. So adding the ranges to your own SPF record will not change anything (SPF is checked on the bounce address, not the header.from address). While you're not authenticating fully redundantly, you're still passing DMARC and it should not impact reputation for your domain (or nobody would be using MailChimp).
  2. Only the owner of the IP address can set the PTR record in DNS. It should point to the name of the server sending the emails, preferably the name in the EHLO/HELO. This thread has the correct answer, I think, though I've never set it up personally.
  3. What is the bounce address domain used in your AmazonSES emails? Did you set up a Custom MAIL FROM address as explained here? A Neutral result is usually returned for an SPF record ending in ?all and not passing on anything that is on the left of it. Another thing that might be happening (if the SPF Domain is your own domain) is that you're hitting the "characters-per-string limit" for DNS TXT records. If you haven't cut the record up in at least 2 strings, the check might not get executed beyond the Mailchimp include. And with the absence of an all modifier (not evaluated), it defaults to neutral. You can see what your SPF record looks like with any lookup tool, but querying your domain with https://dns.google.com for TXT records should show you (escaped) double quote (") marks for where the string has been cut. As an example you can check this SPF record to see what it looks like: […]ip4:185.211.120.0\"\"/22 ip4:185.250.236.0/22[…]

One last thing to note is that you're close to the DNS lookup limit. It looks like you're at 8 lookups already. Beyond 10 lookups will cause the SPF check to result in a PERMERROR

Mating answered 31/12, 2018 at 14:27 Comment(5)
Re 1: But the bounce address's IP is listed in the ranges that I mentioned so surely it should pass... Re 2: Yes, you can request Amazon to update the PTR records if you need them. Basically if the EC2 instance's IP is 54.77.177.67 and the domain of that server is testing.website.com the PTR should point to testing.website.com NOT website.com Re 3: I did indeed setup a mail from and no the SPF isn't being cut. Re 4: I forgot to ask about my assumption on the first 4 ips in my SPF, about how should I consolidate them downLag
Indeed the SPF check itself will pass, however, not in alignment with your header.from domain, which DMARC requires.Mating
Re 3: what do you mean with 'isn't being cut'? Do you have multiple strings in your record? Re 4: yes, your assumption would work by including a /28 subnet. However, your assumption that it won't PASS DMARC without DKIM signing is not correct. DMARC will pass on either DKIM or SPF PASS, in alignment with the header.from domain. Also, this helps a bit towards the 255 character limit, not the 10 lookups limit. Do you really need the +a and +mx methods in there?Mating
You mentioned "If you haven't cut the record up into at least 2 strings"... that's what I was talking about. I've adjusted those 4 IP's to a /28 subnet. The +a is for the domains, they are all covered by the IP's (94.237.30.75 for example) as for the MX, I am not 100% sure but most of them are sent from 94.237.30.85 and mailchimp which are both added so I could probably get around that. The site secure.fraudmarc.com/tool/spf says I am using 8/10 lookups so everything should be good now?Lag
If you update your original Question with the most current SPF, I can take a look, to be sure. I'm not that familiar with the fraudmarc.com spf check, so I can't be 100% certain. By the way, to cut down on the amount of characters in your record, you can also omit the + signs. That one is assumed as the default qualifier. You already left them out for the includes...Mating

© 2022 - 2024 — McMap. All rights reserved.